Title: Manually adding recommended security headers problems
Last modified: January 1, 2023

---

# Manually adding recommended security headers problems

 *  Resolved [gobbetto](https://wordpress.org/support/users/gobbetto/)
 * (@gobbetto)
 * [3 years, 5 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/)
 * I followed your guide to Manually adding recommended security headers on WordPress:
   [https://really-simple-ssl.com/site-health-recommended-security-headers/](https://really-simple-ssl.com/site-health-recommended-security-headers/)
   but not working
 * the site crashes and tells me there is a problem with the file .htaccess
 * this is my .htaccess before:
 *     ```wp-block-code
       BEGIN LSCACHE
   
       END LSCACHE
   
       BEGIN NON_LSCACHE
   
       END NON_LSCACHE
   
       This file was updated by Duplicator on 2018-03-25 07:05:17. See .htaccess.orig for the original .htaccess file.
   
       Please note that other plugins and resources write to this file. If the time-stamp above is different
   
       than the current time-stamp on the file system then another resource has updated this file.
   
       Duplicator only writes to this file once during the install process while running the installer.php file.
   
       Le direttive (linee) tra BEGIN WordPress e END WordPress sono
   
       generate dinamicamente, e dovrebbero essere modificate solo tramite i filtri di WordPress.
   
       Ogni modifica alle direttive tra questi marcatori verrà sovrascritta.
   
       Really Simple SSL
   
       Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPSHeader always set Content-Security-Policy "upgrade-insecure-requests"Header always set X-Content-Type-Options "nosniff"Header always set X-XSS-Protection "1; mode=block"Header always set Expect-CT "max-age=7776000, enforce"Header always set Referrer-Policy: "no-referrer-when-downgrade"
   
       End Really Simple SSL
   
       Begin Really Simple Security
   
       RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
   
       Options -Indexes
   
       End Really Simple Security
   
       BEGIN WordPress
   
       Le direttive (linee) tra BEGIN WordPress e END WordPress sono
   
       generate dinamicamente, e dovrebbero essere modificate solo tramite i filtri di WordPress.
   
       Ogni modifica alle direttive tra questi marcatori verrà sovrascritta.
   
       RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]
   
       END WordPress
       ```
   
 * Thanks in advance
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fmanually-adding-recommended-security-headers-problems%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Plugin Contributor [Rogier Lankhorst](https://wordpress.org/support/users/rogierlankhorst/)
 * (@rogierlankhorst)
 * [3 years, 5 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16333267)
 * I would try to remove all lines but one. If it still fails, your hosting company
   probably does not support security headers in the htaccess. They will be able
   to tell you more.
 *  Thread Starter [gobbetto](https://wordpress.org/support/users/gobbetto/)
 * (@gobbetto)
 * [3 years, 5 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16335063)
 * i will try
 * thanks a lot
 *  Thread Starter [gobbetto](https://wordpress.org/support/users/gobbetto/)
 * (@gobbetto)
 * [3 years, 5 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16359565)
 * hi, i asked my host and he told me to do the following changes:
   create a .user.
   ini file with inside `auto_prepend_file = "/home/mhd/www.aeki.biz/htdocs/prepend_headers.
   php"`
 * then create a file named **prepend_headers.php** with inside this code
 *     ```wp-block-code
       <?php
       header('X-XSS-Protection: 1; mode=block');
       header('X-Frame-Options: DENY');
       header('X-Content-Type-Options: nosniff');
       header('Referrer-Policy: same-origin');
       header('Content-Security-Policy: upgrade-insecure-requests');
       ```
   
 * and they told me to leave the changes in the htaccess file as well
 * after all these operations the problem persists
   how do i solve it?thank you
 *  Plugin Contributor [Rogier Lankhorst](https://wordpress.org/support/users/rogierlankhorst/)
 * (@rogierlankhorst)
 * [3 years, 5 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16361311)
 * If following instructions from your hosting provider still results in site crashing,
   I would check with them. As I don’t know how your provider has configured your
   server, I can’t say why following their suggestions on their server results in
   issue, but I guess they will know what the problem is.
 * But I would think that if adding the rules to the .htaccess results in issue,
   there is a configuration on the server that causes this. Removing those lines
   then seems best.
 * And, I would not add the headers both in php and .htaccess, as this could result
   in duplicate headers. So I would ignore that part of your hoster’s advice anyway.
   It’s best to choose: in php or in the .htaccess. If .htaccess on your hosting
   environment doesn’t work, I’d go for the php approach.
 *  Thread Starter [gobbetto](https://wordpress.org/support/users/gobbetto/)
 * (@gobbetto)
 * [3 years, 4 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16363362)
 * After the changes made the site works
   but in the wordpress improvement checks
   i still get the warning to fix the security headersIn practice, with the changes
   made, nothing has changedthank you
 *  Plugin Contributor [Rogier Lankhorst](https://wordpress.org/support/users/rogierlankhorst/)
 * (@rogierlankhorst)
 * [3 years, 4 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16363596)
 * You can check here if the headers are configure correctly:
 * [https://scan.really-simple-ssl.com](https://scan.really-simple-ssl.com)
 * If that is the case, it might be that the server blocks the test, causing a false
   positive.
 *  Thread Starter [gobbetto](https://wordpress.org/support/users/gobbetto/)
 * (@gobbetto)
 * [3 years, 4 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16366855)
 * test result:
 * red problem
 * HTTP Strict Transport Security (HSTS)
   Not FoundRecommended: includeSubDomains;
   preload; max-age=63072000
 * Permissions-Policy
   Not FoundRecommended: Do not use *. e.g. for the camera feature:
   camera=(‘self’), camera=() or camera=(‘yourdomain.com’)
 * yellow problem
 * Referrer-Policy
   Content: same-originRecommended: strict-origin-when-cross-origin
 * X-XSS-Protection
   Content: 1; mode=blockRecommended: 0
 * the other are ok
 * thanks
    -  This reply was modified 3 years, 4 months ago by [gobbetto](https://wordpress.org/support/users/gobbetto/).

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Manually adding recommended security headers problems’ is closed to new
replies.

 * ![](https://ps.w.org/really-simple-ssl/assets/icon-256x256.png?rev=2839720)
 * [Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)](https://wordpress.org/plugins/really-simple-ssl/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/really-simple-ssl/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/really-simple-ssl/)
 * [Active Topics](https://wordpress.org/support/plugin/really-simple-ssl/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/really-simple-ssl/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/really-simple-ssl/reviews/)

 * 8 replies
 * 2 participants
 * Last reply from: [gobbetto](https://wordpress.org/support/users/gobbetto/)
 * Last activity: [3 years, 4 months ago](https://wordpress.org/support/topic/manually-adding-recommended-security-headers-problems/#post-16366855)
 * Status: resolved